From 7af057e3b4f5f9e2d4546367b38919964b316e4e Mon Sep 17 00:00:00 2001 From: Abdul Raheem Siddiqui Date: Tue, 5 Dec 2023 16:38:54 -0500 Subject: [PATCH 1/3] Update dockerfile --- api/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/Dockerfile b/api/Dockerfile index fd7eec9..9306054 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -28,5 +28,5 @@ COPY --from=dev /app/public /app/public COPY --from=dev /app/views /app/views COPY --from=dev /app/docs /app/docs -ENTRYPOINT ["/app/main", "-pld", "plugins"] +ENTRYPOINT ["/app/main"] # ------------------------------- From 9a3415295bfc013442b7fe6fccb1ff50eed2a00a Mon Sep 17 00:00:00 2001 From: Abdul Raheem Siddiqui Date: Wed, 6 Dec 2023 09:39:53 -0500 Subject: [PATCH 2/3] Update tests --- .github/workflows/e2e-tests.yml | 1 + tests/e2e/tests.postman_collection.json | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 7ed51b3..f3440d9 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -25,6 +25,7 @@ jobs: echo STORAGE_RESULTS_PREFIX='results' >> .env echo STORAGE_LOGS_PREFIX='logs' >> .env + echo PLUGINS_LOAD_DIR='plugins' >> .env echo PLUGINS_DIR='/.data/plugins' >> .env echo TMP_JOB_LOGS_DIR='/.data/tmp/logs' >> .env diff --git a/tests/e2e/tests.postman_collection.json b/tests/e2e/tests.postman_collection.json index f47a9d6..e885b17 100644 --- a/tests/e2e/tests.postman_collection.json +++ b/tests/e2e/tests.postman_collection.json @@ -169,6 +169,30 @@ }, "response": [] }, + { + "name": "delete-startup-process", + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "{{url}}/processes/:processID", + "host": [ + "{{url}}" + ], + "path": [ + "processes", + ":processID" + ], + "variable": [ + { + "key": "processID", + "value": "pywrite" + } + ] + } + }, + "response": [] + }, { "name": "add-process", "request": { From 86fd844adbf222905dcf8eb69b1aea009946a8bd Mon Sep 17 00:00:00 2001 From: Abdul Raheem Siddiqui Date: Wed, 6 Dec 2023 15:51:48 -0500 Subject: [PATCH 3/3] Remove bot role --- DEV_GUIDE.md | 1 + api/handlers/config.go | 10 +++++----- api/handlers/handlers.go | 4 ++-- example.env | 1 - 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/DEV_GUIDE.md b/DEV_GUIDE.md index 0a297cc..a7bb61e 100644 --- a/DEV_GUIDE.md +++ b/DEV_GUIDE.md @@ -16,6 +16,7 @@ - A user can use tools like Postman to set these headers themselves, but if auth is enabled, they will be checked against the token. This setup allows adding submitter info to the database when auth is not enabled. - I auth is enabled `X-ProcessAPI-User-Email` header is mandatory. - Requests from Service Role will not be verified for `X-ProcessAPI-User-Email`. +- Only service_accounts can post callbacks - Requests from Admin Role are allowed to execute all processes, non-admins must have the role with same name as `processID` to execute that process. - Requests from Admin Role are allowed to retrieve all jobs information, non admins can only retrieve information for jobs that they submitted. - Only admins can add/update/delete processes \ No newline at end of file diff --git a/api/handlers/config.go b/api/handlers/config.go index a60fbda..01d3e91 100644 --- a/api/handlers/config.go +++ b/api/handlers/config.go @@ -43,9 +43,9 @@ type RESTHandler struct { ProcessList *pr.ProcessList // Read DEV_GUIDE.md to learn about these - AuthLevel int - AdminRoleName string - BotRoleName string + AuthLevel int + AdminRoleName string + ServiceRoleName string } // Pretty print a JSON @@ -79,8 +79,8 @@ func NewRESTHander() *RESTHandler { "http://www.opengis.net/spec/ogcapi-processes-1/1.0/conf/job-list", "http://www.opengis.net/spec/ogcapi-processes-1/1.0/conf/dismiss", }, - AdminRoleName: os.Getenv("AUTH_ADMIN_ROLE"), - BotRoleName: os.Getenv("AUTH_BOT_ROLE"), + AdminRoleName: os.Getenv("AUTH_ADMIN_ROLE"), + ServiceRoleName: os.Getenv("AUTH_SERVICE_ROLE"), } dbType, exist := os.LookupEnv("DB_SERVICE") diff --git a/api/handlers/handlers.go b/api/handlers/handlers.go index 3740e87..752520e 100644 --- a/api/handlers/handlers.go +++ b/api/handlers/handlers.go @@ -633,8 +633,8 @@ func (rh *RESTHandler) JobStatusUpdateHandler(c echo.Context) error { if rh.AuthLevel > 0 { roles := strings.Split(c.Request().Header.Get("X-ProcessAPI-User-Roles"), ",") - // admins are allowed to execute all processes, else you need to have same role as processId - if !utils.StringInSlice(rh.BotRoleName, roles) && !utils.StringInSlice(rh.AdminRoleName, roles) { + // only service accounts or admins can post status updates + if !utils.StringInSlice(rh.ServiceRoleName, roles) && !utils.StringInSlice(rh.AdminRoleName, roles) { return c.JSON(http.StatusUnauthorized, errResponse{Message: "unauthorized"}) } } diff --git a/example.env b/example.env index 9cd9cbe..8d75e60 100644 --- a/example.env +++ b/example.env @@ -29,7 +29,6 @@ AUTH_SERVICE='' # Options: ['', 'keycloak'] (Optiona AUTH_LEVEL='0' # Options: [0, 1, 2] corresponds to [no auth, some routes protected, all routes protected] (Optional). AUTH_ADMIN_ROLE='admin' AUTH_SERVICE_ROLE='service_account' -AUHT_BOT_ROLE='bot' # --- Plugins PLUGINS_LOAD_DIR='' # Load plugins from this directory at startup (Optional).